search

baselsayeh / e5577s_321_kernel

hacked up kernel source for e5577s_321 (and e5577Cs_321)
1 stars 1 forks source link

Help? #1

Closed saqie1393 closed 3 years ago

saqie1393 commented 3 years ago

Solved

baselsayeh commented 3 years ago

Hello, Please provide more info on what you're trying to do What are you trying to patch? on which device?

baselsayeh commented 3 years ago

@saqie1393 The script offsets will need to be reverse engineered for each firmware (if needed) Are you trying to build a custom firmware for e5573cs-322 or for another device?

baselsayeh commented 3 years ago

@saqie1393 on what device you need to modify its firmware exactly? and which firmware? can you provide a copy of /proc/kallsyms and /proc/iomem

baselsayeh commented 3 years ago

https://www.mediafire.com/file/56rcur3le3ipox5/kallsyms.txt/file

(Note: these instructions will work with current efuse firmwares, and is NOT guaranteed to work with later versions/models other than this list)

After disassembling vxworks, i found out that a function referencing the string "WAS_CSEL_MNTN_TreselectionTimerStopEventRpt" was checking if the device is unlocked

Search for the string "WAS_CSEL_MNTN_TreselectionTimerStopEventRpt" image, Go to each function that references this string (in E5573cs-322 21.333.64.00.1456, it was FUN_005d7174). One of them should check for == '\x01' image

The destination pointer location (the highlighted red location) should contain the location needed for simunlock.sh

If the string "WAS_CSEL_MNTN_TreselectionTimerStopEventRpt" wasn't referenced by any function, then try "WAS_CSEL_PhyLrrcEutraMeasStopInIdleCnf", or use bindiff to find offsets compared to E5573cs-322 21.333.64.00.1456 (use function FUN_005d75f4 when comparing)

baselsayeh commented 3 years ago

https://www.mediafire.com/file/56rcur3le3ipox5/kallsyms.txt/file

(Note: these instructions will work with current efuse firmwares, and is NOT guaranteed to work with later versions/models other than this list)

After disassembling vxworks, i found out that a function referencing the string "WAS_CSEL_MNTN_TreselectionTimerStopEventRpt" was checking if the device is unlocked

Search for the string "WAS_CSEL_MNTN_TreselectionTimerStopEventRpt" image, Go to each function that references this string (in E5573cs-322 21.333.64.00.1456, it was FUN_005d7174). One of them should check for == '\x01' image

The destination pointer location (the highlighted red location) should contain the location needed for simunlock.sh

If the string "WAS_CSEL_MNTN_TreselectionTimerStopEventRpt" wasn't referenced by any function, then try "WAS_CSEL_PhyLrrcEutraMeasStopInIdleCnf", or use bindiff to find offsets compared to E5573cs-322 21.333.64.00.1456 (use function FUN_005d75f4 when comparing)